I was just wondering if XP passwords can be hacked then why cant a Hacker just hack my passwords stored in my browser. Is it possible for someone to know my browser saved password while I surf the internet. Does it become easy for hackers to steal from browsers that have open source code ? How to Safeguard Browser saved passwords.

5 Answers
5

If a hacker gains administrative access to your computer, he can certainly steal the passwords stored in the browser. That is one of the good reasons why you shouldn't store high-sensitive passwords in the browser.

Remember that the browser must be able to decrypt your password into clear-text, in order to be able to submit it for you automatically when you wish to gain access to a site. This is what makes the browser the most vulnerable. In many other systems (including the Windows passwords), the actual passwords are not stored, but instead a one-way hash of the actual password, making it practically impossible to revert the stored value to the actual clear-text password.

it is very easy if want to know how just check this out. For more check this one from yale university. now finally need not go anywhere final & last check out university of California computer science department site for your answer may you need not to tell anything get this one pdf:-)

In Firefox, anyone can see your saved passwords when you go to Tools, Options, then the Security Tab, and then click Saved Passwords. Then click "Show Passwords" and voila! you have all of the user's passwords. Yes, there an option to have a master password set, most users do not do this, or are not aware of this option...

All of these browsers, no matter how you put it, can be hacked by anyone with physical or remote access to your computer.

A browser being open-sourced can go either way in a security debate. On one hand, it's bad because then people will know how it encrypts the password and hack it easier. On the other hand, if it's open source, it'll be more rigorously tested and modified, and hence, much more secure.

My solution is to use a password manager with some decent encryption. Keepass (Windows) and 1Password (Mac) are known for having the best encryption (128-bit Rijndael, though KeePass hashes the password a lot so technically it's way more secure). Both of them have viable browser integration and should be fine for general surfing purposes.

There is a debate about it. Some people like the idea of so called "security through obscurity". The core of that idea is that the bad guy doesn't know how system he is attacking works. So in case of browsers that means that he wouldn't have access to source code. In a perfect system, security through obscurity would make a system safer. Unfortunately browsers aren't perfect enough for that. Usually there are bugs which go unnoticed by development team and which may be exploited.

That's why open source browsers like Firefox for example use another security doctrine. Their developers believe that source code should be public. This will allow attackers to know how browser works, but on the other side it will allow security researchers to find bugs and report them so that developers may fix them. The idea is to make a browser so safe that it has no vulnerable places which crackers can exploit. If there are no vulnerabilities, the fact that crackers know how browser works does not help them.

This is a good comparison of the two schools of thought. I don't think that there is a debate among security researchers that security through obscurity does not work. The bad guys have infinite time and will figure out how the system works and where te bugs are. The only defense is to make it as easy as possible for the good guys to find the bugs as well. You don't need to make the source code of the entire system open, just use published cryptography algorithms instead of rolling your own.
–
KeithBAug 29 '10 at 19:04

1

@KeithB I Agree with you completely, but it seems you didn't notice that I avoided term "security researcher" and user "some people". While problems with security through obscurity may be self evident to serious security researchers and obvious to large number of programmers, many from computer security point of view less competent people who may be in high enough positions to influence development of applications think that it works.
–
AndrejaKoAug 29 '10 at 20:09

2

"In a perfect system, security through obscurity would make a system safer" -- in a perfect system, it's not needed.
–
SirexJan 19 '11 at 11:29